Tuesday 15 April 2014

Windows 8.1 and Windows Server 2012 R2 Update 1 Caveats

Whenever we hear about updates for any device firmware, application software, or operating system software it is _always_ a good idea to read the Release Notes (we probably all know the acronym that comes to mind here ;) ), README.TXT, _and_ do a search for the update to see if anyone is complaining about it. Unfortunately, this major update for Windows 8.1 and Windows Server 2012 R2 has its issues some of which are full-stop problems. The first place to start for this update is here:
There is a lot of information there.
  1. Update 1 is the new baseline for all updates going forward.
    • Meaning, no more updates to that OS if the bits are earlier than 8.1 U1 or 2012 R2 U1.
  2. Update 1 breaks SSL communications between endpoints and WSUS
This last one is a deal breaker for many enterprises, medium enterprises, and especially in our own SMB/SME environments where WSUS is virtually everywhere for patch management.
We just stood up a new cluster on 2012 R2. After our Cluster-Aware Update run:
Our cluster nodes now have the update. Since this cluster setup is Greenfield with WSUS ultimately ending up _on_ the cluster the nodes were updated via Microsoft Update.
The workaround for this situation is to enable TLS 1.2 as instructed in the above blog post. Since we are deploying Windows Server 2012 R2 into client sites we will have no choice but to make this change.
Then, when Microsoft releases an update to the update to hopefully fix the problem we will need to test that update extensively _especially_ in a cluster setting!
Yo Microsoft! There is a huge pool of folks willing to test and break this stuff for you! Please get us involved in the early bits for operating systems, applications, and updates again. This ongoing situation of releasing patches and updates to the public without testing them on disparate systems is a _bad_ thing. :(
EDIT: Updated the Gladiator link since between Live Writer and Blogger it got mangled.
Philip Elder
Microsoft Cluster MVP
Co-Author: SBS 2008 Blueprint Book
Chef de partie in the SMBKitchen ASP Project
Find out more at
Third Tier: Enterprise Solutions for Small Business

1 comment:

Doug H. said...

If you are using 2012 R2 servers, you don't have this problem:
"Note If you are using the WSUS Server Role on Windows Server 2012 or Windows Server 2012 R2 to manage Windows 8.1 or Windows Server 2012 R2-based devices, you are not affected by this problem."

Where this would be a very serious problem is if you are in a pre-2008 R2 environment, because there is no ability to be turn on TLS 1.2 to fix WSUS communication.

TLS 1.2 is the newest and most secure communication protocol for HTTPS. You WANT to be using this if your environment supports it (ref: http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).